{"id":19935940,"url":"https://github.com/gaelgirodon/propencrypt","last_synced_at":"2025-05-03T12:31:32.722Z","repository":{"id":61036575,"uuid":"338871256","full_name":"GaelGirodon/propencrypt","owner":"GaelGirodon","description":"Encrypt and decrypt multiple properties, in multiple files, at once.","archived":false,"fork":false,"pushed_at":"2024-04-02T21:07:06.000Z","size":47,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-07T16:07:02.425Z","etag":null,"topics":["aes","config","decrypt","encrypt","git","gpg","properties","vault","yaml"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GaelGirodon.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-14T18:20:23.000Z","updated_at":"2023-07-05T13:18:12.000Z","dependencies_parsed_at":"2024-11-12T23:35:21.164Z","dependency_job_id":null,"html_url":"https://github.com/GaelGirodon/propencrypt","commit_stats":{"total_commits":17,"total_committers":1,"mean_commits":17.0,"dds":0.0,"last_synced_commit":"e16f2f6a72506a0114efa0774de971a58bdc754d"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GaelGirodon%2Fpropencrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GaelGirodon%2Fpropencrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GaelGirodon%2Fpropencrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GaelGirodon%2Fpropencrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GaelGirodon","download_url":"https://codeload.github.com/GaelGirodon/propencrypt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252191034,"owners_count":21709000,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes","config","decrypt","encrypt","git","gpg","properties","vault","yaml"],"created_at":"2024-11-12T23:22:42.615Z","updated_at":"2025-05-03T12:31:32.082Z","avatar_url":"https://github.com/GaelGirodon.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Propencrypt\n\n[![release](https://img.shields.io/github/v/release/GaelGirodon/propencrypt?style=flat-square)](https://github.com/GaelGirodon/propencrypt/releases/latest)\n[![license](https://img.shields.io/github/license/GaelGirodon/propencrypt?color=blue\u0026style=flat-square)](./LICENSE)\n[![build](https://img.shields.io/github/actions/workflow/status/GaelGirodon/propencrypt/build.yml?branch=main\u0026style=flat-square)](https://github.com/GaelGirodon/propencrypt/actions/workflows/build.yml)\n[![tests](https://img.shields.io/endpoint?style=flat-square\u0026url=https%3A%2F%2Fgist.githubusercontent.com%2FGaelGirodon%2Ffbde4d59b7dd3c4f2cc9c4fea3497ae1%2Fraw%2Fpropencrypt-go-tests.json)](https://github.com/GaelGirodon/propencrypt/actions/workflows/build.yml)\n[![coverage](https://img.shields.io/endpoint?style=flat-square\u0026url=https%3A%2F%2Fgist.githubusercontent.com%2FGaelGirodon%2Ffbde4d59b7dd3c4f2cc9c4fea3497ae1%2Fraw%2Fpropencrypt-go-coverage.json)](https://github.com/GaelGirodon/propencrypt/actions/workflows/build.yml)\n[![docker](https://img.shields.io/docker/v/gaelgirodon/propencrypt?color=%232496ed\u0026label=docker\u0026logo=docker\u0026logoColor=white\u0026style=flat-square)](https://hub.docker.com/r/gaelgirodon/propencrypt)\n[![npm](https://img.shields.io/npm/v/propencrypt?color=%23cb3837\u0026logo=npm\u0026style=flat-square)](https://www.npmjs.com/package/propencrypt)\n\nEncrypt and decrypt multiple properties, in multiple files, at once.\n\n## About\n\n**Propencrypt** provides the following features:\n\n- Encrypt and decrypt multiple properties in multiples files at once using the\n  AES-256-GCM symmetric algorithm, without requiring to encrypt the entire\n  contents of the files, making them _Git-friendly_.\n- Handle multiple file formats (`yaml`, `properties`, etc.): the `pattern`\n  option is used to find values to encrypt.\n- Language-agnostic: encrypt files to store them safely in a Git repository,\n  and decrypt them back before using them as you want (e.g., to create a K8s\n  secret).\n- Lightweight (~1 MB to download), dependency-free, easy to install and run.\n\nIt aims to (_modestly_) solve some limitations of these encryption tools:\n\n- **GPG** provides easy file encryption, but the output binary file is not\n  _Git-friendly_ (no diff available, code review is more difficult, etc.).\n- **Ansible Vault** encrypts variables and files. With variable encryption,\n  files are still easily legible (plaintext and encrypted variables can be mixed\n  in the same file), but each string must be encrypted individually making it\n  tedious to work with many properties in multiple files. Furthermore, Ansible\n  Vault is primarily made to work with Ansible.\n- **Jasypt** (through the integration for Spring Boot) provides a Maven plugin\n  allowing encrypting multiple placeholders (`DEC(...)`) at once in an\n  `application.properties` file, but Jasypt is meant to be used as a library\n  in a Java application, so it is not language-agnostic.\n\n## Install\n\nDownload and extract the\n[latest release](https://github.com/GaelGirodon/propencrypt/releases/latest):\n\n```shell\n# Linux (Bash)\nDOWNLOAD_URL=\"https://github.com/GaelGirodon/propencrypt/releases/latest/download\"\ncurl -sL \"$DOWNLOAD_URL/propencrypt_linux_amd64.tar.gz\" | tar xvz\n```\n\n```powershell\n# Windows (PowerShell)\n$DOWNLOAD_URL = \"https://github.com/GaelGirodon/propencrypt/releases/latest/download\"\nInvoke-WebRequest -OutFile \"propencrypt.zip\" \"$DOWNLOAD_URL/propencrypt_windows_amd64.zip\"\nExpand-Archive \"propencrypt.zip\" -DestinationPath ./\n```\n\n## Usage\n\nEncrypt and decrypt properties in files:\n\n```shell\npropencrypt encrypt -k \u003ckey\u003e -p \u003cpattern\u003e [-e \u003cext\u003e] \u003cfiles\u003e\npropencrypt decrypt -k \u003ckey\u003e              [-e \u003cext\u003e] \u003cfiles\u003e\n```\n\nRun `propencrypt --help` to show the help message and\n`propencrypt help \u003ccommand\u003e` to get more information about a given command.\n\n### Commands\n\n#### encrypt\n\nThe `encrypt` command reads input files (a list of file names,\n[glob patterns](https://golang.org/pkg/path/filepath/#Match) are supported),\nencrypts and encodes each property value matched by the provided pattern (the\ncapturing group is used to find the value) and creates output files where values\nare replaced by their encrypted counterpart, encoded as Base64 and surrounded by\n`ENC(\u003c...\u003e)`. The name of each output file is the concatenation of the\nassociated input file name and the extension.\n\n```shell\nencrypt -k \u003ckey\u003e -p \u003cpattern\u003e [-e \u003cext\u003e] \u003cfiles\u003e\n```\n\n#### decrypt\n\nThe `decrypt` command reads input files (a list of file names,\n[glob patterns](https://golang.org/pkg/path/filepath/#Match) are supported),\ndecodes and decrypts each property value matched by the `ENC(\u003c...\u003e)` pattern and\ncreates output files where values are replaced by their unbounded (`ENC()` is\nremoved), decoded (from Base64) and decrypted counterpart. The name of each\noutput file is the name of the associated input file without the extension.\n\n```shell\ndecrypt -k \u003ckey\u003e [-e \u003cext\u003e] \u003cfiles\u003e\n```\n\n### Options\n\n| Option            | Description                       | Default | Environment variable  |\n| ----------------- | --------------------------------- | ------- | --------------------- |\n| `-k`, `--key`     | 256-bit encryption key            |         | `PROPENCRYPT_KEY`     |\n| `-p`, `--pattern` | Sensitive property pattern        |         | `PROPENCRYPT_PATTERN` |\n| `-e`, `--ext`     | File extension to append / remove | `.enc`  | `PROPENCRYPT_EXT`     |\n\n\u003e **Note**: options set from the command-line take precedence over the\n\u003e environment variables.\n\n#### key\n\n`key` is a 32-bytes string used as the symmetric key for properties values\nencryption and decryption with the AES-256-GCM algorithm.\n\n#### pattern\n\n`pattern` is a regular expression used to find values to encrypt in files.\nIt must contain exactly one capturing group that matches the property value.\nThis pattern allows finding properties with different names (e.g.\n`(?:pass|secret|login)=(.+)`), in multiples file types (e.g., `prop: (.+)` for\nYAML, `prop=(.+)` for INI/Properties), etc.\n\n#### ext\n\n`ext` is the extension of the output encrypted file. By default, input files\nare not modified during encryption: output files with encrypted values are\ncreated as `\u003cinput-file-name\u003e\u003cext\u003e`. This extension is removed from the\nencrypted file name during decryption to get back to the input file name\n(original unencrypted files are overridden if they exist). This extension\ncan be set to an empty value (`--ext \"\"`) to edit files in place.\n\n## Example\n\nGiven `config.yml`, a configuration file where passwords need to be encrypted:\n\n```yml\ndatabase:\n  url: mysql://host/db\n  username: app\n  password: secret\n```\n\nEncrypt passwords using the `encrypt` command (add `--ext \"\"` to edit the file\nin place):\n\n```shell\npropencrypt encrypt --key \u003ckey\u003e --pattern \"password: (.+)\" config.yml\n```\n\nA new file with encrypted passwords, `config.yml.enc`, is created:\n\n```yml\ndatabase:\n  url: mysql://host/db\n  username: app\n  password: ENC(\u003cbase64-encrypted-value\u003e)\n```\n\nIt can be decrypted back to `config.yml` using the `decrypt` command:\n\n```shell\npropencrypt decrypt --key \u003ckey\u003e config.yml.enc\n```\n\n## License\n\n**Propencrypt** is licensed under the GNU General Public License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgaelgirodon%2Fpropencrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgaelgirodon%2Fpropencrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgaelgirodon%2Fpropencrypt/lists"}